Does the Account Reset Console support the use of complex passwords and password histories?
Yes. When ARC changes passwords it is bound by the same rules as any other method of changing passwords but there are 2 scenarios:
- User impersonation is not turned on
- User impersonation is turned on
In the first scenario, account emulation (second check box) is not turned on in MANAGEMENT | PASSWORD CHANGE FEATURES:
With ARC configured like this, the COM object uses administrative interfaces to change the password, just like if you changed the password in AD Users and Computers. This means that only password length/complexity is applied; AD is happy to ignore rules based on min password age and password history.
In the second scenario, account emulation (second check box) is turned on in MANAGEMENT | PASSWORD CHANGE FEATURES:
With ARC configured like this, the COM object uses user interfaces to change the password, just like if you changed the password by hitting CTRL+ALT+DEL. This means that all domain policies are applied: password length/complexity, min password age, and password history are all applied.
In either scenario, ARC will set whatever password you would like for it to set provided it meets the above stated guidelines. If a user attempts to set a password that breaks these rules, such as a password that is too short or not complex enough, then Windows and in return we, will report back whatever the error message is. Typically, windows will return this message:
Error 2245: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
Ironically this error comes back from Windows no matter how long or complex the password is. Generally, to help your users along, you may wish to include a message within ARC to help your users identify this error as well as what there passwords should look like. Something to the effect of:
Domain policy requires passwords be X characters long and must contain AB&C type characters. If you receive error “XXX(See above)”, then your password does not meet these requirements.
Such a message can be placed into the following two locations:
- Management | Password Change Features – “Display the following HTML message to users resetting their own passwords”
- Management | Account Reset Features – “Display the following HTML message to Help Desk personnel resetting accounts”